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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 

1 . (Currently Amended) A method comprising: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, one embedded agent in 
each client having an embedded agent to store the symmetric cryptographic key in a storage 
accessible to the embedded agent and not directly accessible to a host processor on the client; 
and 

providing access to an encrypted traffic flow in a network to a client one of the clients 
if the cli e nt one of the clients is authenticated with the key , the providing including 

the one of the clients receiving a message requesting a secure connection for 
the encrypted traffic flow, 

prior to any allowing of the requested secure connection, the embedded agent 
of the one of the clients verifying that a platform of the one of the clients is not in a 
compromised state at a time before providing access to the encrypted traffic flow, and 

in response to the message requesting the secure connection and the verifying, 
the embedded agent of the one of the clients providing the key and an assertion that 
the one of the clients is not compromised to a verification entity on the network . 

2. (Currently Amended) A method according to claim 1 , wherein provisioning the key 
through the embedded agents further comprises provisioning the key through an embedded 
agent having network access via a network link not visible to a host operating system (OS) 
running on the client one of the clients . 
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3. (Currently Amended) A method according to claim 2, wherein providing access to 
the traffic flow if the client one of the clients is authenticated comprises the embedded agent 
authenticating the client one of the clients over the network line not visible to the host OS. 

4. (Original) A method according to claim 1, wherein providing access to the traffic 
flow further comprises providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

5. (Currently Amended) A method according to claim 1, further comprising updating at 
a client the symmetric cryptographic key provisioned across the multiple clients through a 
public and private key exchange with a public and private key associated with t he client. 

6. (Canceled). 

7. (Currently Amended) A method according to claim [[ 6 ]] 1, further comprising the 
embedded agent indicating to a remote network device if the client one of the clients is 
compromised. 

8. (Currently Amended) A method according to claim [[ 6 ]] 1, further comprising the 
embedded agent foreclosing network access to the client one of the clients if the client one of 
the clients is compromised. 

9. (Original) A method according to claim 1, further comprising the embedded 
agent performing cryptographic functions on data with the key to authenticate data with the 
key. 
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10. (Original) A method according to claim 1, further comprising the embedded 
agent including a derivative of the key in a header of data to be transmitted to authenticate 
the data with the key. 

1 1 . (Currently Amended) An apparatus comprising: 

a host platform on the apparatus including a host processor; 

a secure memory not visible to applications and an operating system (OS) running on 
the host platform; and 

an embedded computational device communicatively coupled with the host platform, 
the embedded device to have a network link transparent to the host processor and the OS, the 
embedded device to manage a cryptographic key shared among the apparatus and network 
endpoints to be used to communicate with a server over the network, to receive the 
cryptographic key on the transparent link and authenticate the apparatus, and to store the 
cryptographic key in the secure memory , the embedded computational device further to 
receive a request for a secure connection providing access to an encrypted traffic flow in the 
network, the embedded computational device further to verify, prior to any allowing of the 
requested secure connection, that the host platform is not in a compromised state at a time 
before providing access to the encrypted traffic flow, and in response to the request for the 
secure connection and the verifying, the embedded computational device further to provide 
the cryptographic key and an assertion that the apparatus is not compromised to a verification 
entity on the network . 

12. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have transparent network link comprises the embedded device to have a network connection 
not accessible by the host platform, the link to comply with the transport layer security (TLS) 
protocol. 
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13. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
have a transparent network link comprises the embedded device to have a network 
connection not accessible by the host platform, the link to comply with the secure sockets 
layer (SSL) protocol. 

14. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to verify the identity of the 
apparatus to a network switching device with the key, the key to also be used by the network 
endpoints to verify their respective identities to the network switching device, and the 
network switching device to decrypt encrypted traffic from the apparatus and the network 
endpoints. 

1 5 . (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to hash traffic to be transmitted 
with the key. 

16. (Original) An apparatus according to claim 1 1 , wherein the embedded device to 
authenticate the apparatus comprises the embedded device to perform cryptographic services 
with the key on traffic to be transmitted. 

17. (Original) An apparatus according to claim 11, wherein the embedded device to 
authenticate the apparatus comprises the embedded device to include a derivative of the key 
in a header of traffic to be transmitted. 

18. (Original) An apparatus according to claim 11, further comprising a second 
embedded computational device, the second embedded device integrated on the host 
platform, to verify the security of the host platform. 



-5- 



Application No. 1 0/809,3 1 5 

Response to Office Action of December 8, 2008 



Atty. Docket No. 42P 19299 
Examiner Schmidt, Kari L. 



19. (Previously Presented) An apparatus according to claim 18, wherein the first 
embedded device to not authenticate the apparatus if the second embedded device determines 
the host platform is not secure. 

20. (Original) An apparatus according to claim 1 8, further comprising a bi- 
directional private bus between the first and second embedded devices. 

2 1 . (Original) An apparatus according to claim 1 1 , further comprising a counter 
mode hardware cryptographical module on the host platform to encipher traffic with the 
cryptographic key and further provide a counter mode enciphering of the enciphered traffic. 

22. (Currently Amended) A system comprising: 
a host platform including a host processor; 

a digital signal processor (DSP) coupled with the host platform; and 

an embedded chipset including a secure key storage module to perform cryptographic 
key management of a shared cryptographic key with the secure key storage module and a 
private communication channel accessible to the chipset and not the host platform, and to 
access an image of the host platform on a flash accessible to the DSP and not to the host 
processor to determine the integrity of the host platform, the shared cryptographic key to be 
used by the host platform to encipher data and other networked devices within a virtual 
private network , wherein the embedded chipset to receive a request for a secure connection 
providing access to an encrypted traffic flow in the virtual private network, the embedded 
chipset further to verify, prior to any allowing of the requested secure connection, that the 
host platform is not in a compromised state at a time before providing access to the encrypted 
traffic flow, and in response to the request for the secure connection and the verifying, the 
embedded chipset further to provide the cryptographic key and an assertion that the apparatus 
is not compromised to a verification entity on the virtual private network . 
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23. (Original) A system according to claim 22, wherein the embedded chipset to 
perform cryptographic key distribution with the private communication channel comprises 
the embedded chipset to perform cryptographic key distribution with a communication 
channel complying with the transport layer security (TLS) protocol. 

24. (Currently Amended) A system according to claim 22, wherein the embedded chipset 
comprises an embedded controller agent and an embedded firmware agent, the firmware 
agent to determine the integrity of perform the verification that the host platfor m is not in the 
compromised state , and the controller agent to operate the private communication channel 
and manage access by the host platform to secure network connections. 

25. (Currently Amended) A system according to claim 24, further comprising a bi- 
directional private communication path between the [[ the ]] embedded controller agent and 
the embedded firmware agent to allow the agents to interoperate outside a context of the host 
platform. 

26. (Original) A system according to claim 22, further comprising the embedded 
chipset to hash traffic to be transmitted with the key to authenticate the system to one of the 
other networked devices. 

27. (Original) A system according to claim 22, further comprising the embedded 
chipset to perform cryptographic services with the key on traffic to be transmitted to 
authenticate the system to one of the other networked devices. 
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28. (Original) A system according to claim 22, further comprising the embedded 
chipset to include a derivative of the key in a header of traffic to be transmitted to 
authenticate the system to one of the other networked devices. 

29. (Currently Amended) An article of manufacture comprising a tangible machine 
accessible medium having content stored thereon to provide instructions to cause a machine 
to perform operations including: 

provisioning a symmetric cryptographic key across multiple clients through multiple 
embedded agents, each client having one of the embedded agents, one embedded agent in 
each client having an embedded agent to store the symmetric cryptographic key in a storage 
accessible to the embedded agent and not directly accessible to a host processor on the client; 
and 

providing access to an encrypted traffic flow in a network to a client one of the clients 
if the client one of the clients is authenticated with the key , the providing including 

the one of the clients receiving a message requesting a secure connection for 
the encrypted traffic flow, 

prior to any allowing of the requested secure connection, the embedded agent 
of the one of the clients verifying that a platform of the one of the clients is not in a 
compromised state at a time before providing access to the encrypted traffic flow, and 

in response to the message requesting the secure connection and the verifying, 
the embedded agent of the one of the clients providing the key and an assertion that 
the one of the clients is not compromised to a verification entity on the network . 

30. (Currently Amended) An article of manufacture according to claim 29, wherein the 
content to provide instruction to cause the machine to perform operations including 
provisioning the key through the embedded agents further comprises the content to provide 
instruction to cause the machine to perform operations including provisioning the key 
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through an embedded agent having network access via a network link not visible to a host 
operating system (OS) running on the client one of the clients . 

3 1 . (Currently Amended) An article of manufacture according to claim 30, wherein the 
content to provide instruction to cause the machine to perform operations including providing 
access to the traffic flow if the client one of the clients is authenticated comprises the content 
to provide instruction to cause the machine to perform operations including authenticating 
the client one of the clients with the embedded agent over the network line not visible to the 
host OS. 

32. (Original) An article of manufacture according to claim 29, wherein the content 
to provide instruction to cause the machine to perform operations including providing access 
to the traffic flow further comprises the content to provide instruction to cause the machine to 
perform operations including providing multiple clients access with the key to nodes in the 
network, the nodes in the network to decrypt the traffic flow and subsequently encrypt the 
traffic flow to transmit the traffic to a next node in the network. 

33. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
updating at a client the symmetric cryptographic key provisioned across the multiple clients 
through a public and private key exchange with a public and private key associated the client. 

34. (Canceled). 

35. (Currently Amended) An article of manufacture according to claim [[ 34 ]] 29, 
further comprising the content to provide instruction to cause the machine to perform 
operations including indicating with the embedded agent to a remote network device if the 
client one of the clients is compromised. 
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36. (Currently Amended) An article of manufacture according to claim [[ 34 ]] 29, 
further comprising the content to provide instruction to cause the machine to perform 
operations including foreclosing with the embedded agent network access to the client one of 
the clients if the client one of the clients is compromised. 

37. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
performing cryptographic functions on data with the key to authenticate data with the key. 

38. (Original) An article of manufacture according to claim 29, further comprising 
the content to provide instruction to cause the machine to perform operations including 
placing a derivative of the key in a header of data to be transmitted to authenticate the data 
with the key. 
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